KPF.EXE
KPFW32.EXE
AVPM.EXE
AUTODOWN.EXE
AVKSERV.EXE
AVPUPD.EXE
BLACKD.EXE
CFIND.EXE
CLEANER.EXE
ECENGINE.EXE
F-PROT.EXE
FP-WIN.EXE
IAMSERV.EXE
ICLOADNT.EXE
IFACE.EXE
LOOKOUT.EXE
N32SCAN.EXE
NAVW32.EXE
NORMIST.EXE
PADMIN.EXE
PCCWIN98.EXE
RAV7WIN.EXE
SCAN95.EXE
SMC.EXE
TCA.EXE
VETTRAY.EXE
VSSTAT.EXE
ACKWIN32.EXE
AVCONSOL.EXE
AVPNT.EXE
AVPDOS32.EXE
AVSCHED32.EXE
BLACKICE.EXE
EFINET32.EXE
CLEANER3.EXE
ESAFE.EXE
F-PROT95.EXE
FPROT.EXE
IBMASN.EXE
ICMOON.EXE
IOMON98.EXE
LUALL.EXE
NAVAPW32.EXE
NAVWNT.EXE
NUPGRADE.EXE
PAVCL.EXE
PCFWALLICON.EXE
RESCUE.EXE
SCANPM.EXE
SPHINX.EXE
TDS2-98.EXE
VSSCAN40.EXE
WEBSCANX.EXE
WEBSCAN.EXE
ANTI-TROJAN.EXE
AVE32.EXE
AVP.EXE
AVPM.EXE
AVWIN95.EXE
CFIADMIN.EXE
CLAW95.EXE
DVP95.EXE
ESPWATCH.EXE
F-STOPW.EXE
FRW.EXE
IBMAVSP.EXE
ICSUPP95.EXE
JED.EXE
MOOLIVE.EXE
NAVLU32.EXE
NISUM.EXE
NVC95.EXE
NAVSCHED.EXE
PERSFW.EXE
SAFEWEB.EXE
SCRSCAN.EXE
SWEEP95.EXE
TDS2NT.EXE
VSECOMR.EXE
WFINDV32.EXE
AVPCC.EXE
AVPCC.EXE
APVXDWIN.EXE
AVGCTRL.EXE
AVP32.EXE
AVPTC32.EXE
AVWUPD32.EXE
CFIAUDIT.EXE
CLAW95CT.EXE
DV95_O.EXE
DV95.EXE
F-AGNT95.EXE
FINDVIRU.EXE
IAMAPP.EXE
ICLOAD95.EXE
ICSSUPPNT.EXE
LOCKDOWN2000.EXE
MPFTRAY.EXE
NAVNT.EXE
NMAIN.EXE
OUTPOST.EXE
NAVW.EXE
RAV7.EXE
SCAN32.EXE
SERV95.EXE
TBSCAN.EXE
VET95.EXE
VSHWIN32.EXE
ZONEALARM.EXE
VPMON.EXE
AVP32.EXE

It copies it self in two copies to the temporary directory with a random.name and a “.exe” and “.tft” endings. Then it copies another copy to the windows system directory again with a random name.

The worm also drops a file called avril-ii.inf into the temporary directory and puts the following text in it:

	         
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II| 
(remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
~Greetz to Brigada Ocho (http://vx.netlux.org/~b8), 
Darkside Project(http://darkside.dtn.ru)
and Weisses Fleisch Project (http://wf.h1.ru)			
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper included

Cheerz, Otto (www.otto-koden.h1.ru)

 

It adds this value "Avril Lavigne – Muse" to the registry key

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

The worm sends email to all the email addresses it finds from the windows address book and it also uses email addresses it collects from files with theses endings:

 
.IDX
.NCH
.SHTML
.TBB
.HTM
.EML
.HTML
.WAB
.MBX
.DBX. 
 

The subject of Lirva.C when it arrives in your mailbox is chosen from the following list:

 
Fw: Prohibited customers
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
 

Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0 that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft Tech Support

Avril fans subscription FanList admits you to
take in Avril Lavigne 2003 Billboard awards ceremony
Vote for I’m with you!
Admission form attached below

Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe